b"                     AUDIT OF SBA\xe2\x80\x99S ACQUISITON, DEVELOPMENT\n                        AND IMPLEMENTATION OF THE JOINT\n                        ACCOUNTING AND ADMINISTRATIVE\n                               MANAGEMENT SYSTEM\n\n                                 AUDIT REPORT NUMBER 3-32\n\n                                            JUNE 30, 2003\n\n\n\n\nThis report may contain proprietary information subject to the provisions of 18 USC 1905 and must not be\nreleased to the public or another agency without permission of the Office of Inspector General.\n\x0c                           U.S. SMALL BUSINESS ADMINISTRATION\n                               OFFICE OF INSPECTOR GENERAL\n                                    Washington, DC 20416\n\n\n\n\n                                                                AUDIT REPORT\n                                                          ISSUE DATE: June 30, 2003\n                                                          REPORT NUMBER: 3-32\n\n\nTo:            Chief Operating Officer\n\n               Thomas A. Dumaresq\n               Chief Financial Officer\n\n               Steven D. Galvan\n               Chief Information Officer\n\nThrough:       Lisa M. Goeas\n               Chief of Staff\n\n\nFrom:          Robert Seabrooks /s/ Original signed\n               Assistant Inspector General for Auditing\n\nSubject:       Audit of SBA\xe2\x80\x99s Acquisition, Development and Implementation of the Joint\n               Accounting and Administrative Management System\n\n        Attached is a copy of the subject audit report. The report contains six findings with two\nrecommendations addressed to the Chief Operating Officer, five recommendations to the Chief\nFinancial Officer, and nine recommendations to the Chief Information Officer. The Chief\nFinancial Officer\xe2\x80\x99s and Acting Chief Information Officer\xe2\x80\x99s joint response to the draft report is\nsynopsized in the report and included in its entirety at Appendix A. The Chief Operating Officer\ndid not provide a response to the draft report because the position was vacant when the response\nwas due. Accordingly, the recommendations addressed to the Chief Operating Officer will be\naddressed during the audit follow-up and resolution process.\n\n        The recommendations in this audit report are based on the conclusions of the Auditing\nDivision. The recommendations are subject to review, management decision and action by your\noffice in accordance with existing Agency procedures for audit follow-up and resolution.\n\n       Please provide us your management decision for each recommendation addressed to you\nwithin 30 days. Your management decisions should be recorded on the attached SBA Forms\n\x0c1824, \xe2\x80\x9cRecommendation Action Sheet,\xe2\x80\x9d and show either your proposed corrective action and\ntarget date for completion, or explanation of your disagreement with our recommendations.\n\n      Any questions or discussion of the findings and recommendations contained in the report\nshould be directed to Robert G. Hultberg, Director, Business Development Programs Group at\n(202) 205-7577.\n\nAttachment\n\x0c                       AUDIT OF SBA\xe2\x80\x99S ACQUISITION, DEVELOPMENT AND\n                        IMPLEMENTATION OF THE JOINT ACCOUNTING\n                         AND ADMINISTRATIVE MANAGEMENT SYSTEM\n\n                                                        Table of Contents\n\n                                                                                                                          Page\n\nSUMMARY ......................................................................................................................i\n\n\nINTRODUCTION\n\n          A. Background ......................................................................................................1\n\n          B. Objectives and Scope ......................................................................................2\n\n\nRESULTS OF AUDIT\n\n\nFinding 1 \xe2\x80\x93 The BTIC Received Biased and Misleading Information\n            for Selecting a Financial Accounting System ...............................................3\n\nFinding 2 \xe2\x80\x93 Conflicts of Interest in Selection and Implementation\n            of a Financial Accounting System.................................................................9\n\nFinding 3 \xe2\x80\x93 Demonstrated JA2MS Database and all Software\n            Purchased not Implemented ........................................................................12\n\nFinding 4 \xe2\x80\x93 JA2MS System Security does Not Fully Protect SBA ................................15\n\nFinding 5 \xe2\x80\x93 System Testing Prior to Implementation was Not Adequate ......................18\n\nFinding 6 \xe2\x80\x93 JA2MS is not Fully JFMIP Compliant and does not Meet\n            System Requirements ..................................................................................20\n\n\nAPPENDIX\n\n     A. Management Response to Draft Report\n     B. Report Distribution\n\x0c                                            SUMMARY\n\n         In October 2001, SBA implemented Phase I of the Joint Accounting and Administrative\nManagement System (JA2MS) to replace SBA\xe2\x80\x99s Federal Financial System (FFS). JA2MS was\npart of the Systems Modernization Initiative (SMI) and SBA\xe2\x80\x99s intention was to procure a\nCommercial-Off-The-Shelf (COTS) product. SBA further decided that JA2MS would integrate\nSBA\xe2\x80\x99s business units such as finance, procurement, and human resource functions. JA2MS\nwould be developed in three phases: (I) implement a financial accounting system to replace FFS,\n(II) integrate procurement and grants, travel, and human resource functions, and (III) implement\na data warehouse capability. The JA2MS project was estimated to cost $6.4 million when all\nthree phases were expected to be implemented in FY 2002, however Phases II and III have been\nput on hold due to cost issues from Phase I.\n\n        The audit objectives were to determine whether: (1) the selection methodology and the\nsupporting documentation indicated that the system selected would deliver the most functionality\nfor the least cost, (2) there were adequate management controls over the process of acquiring and\nimplementing JA2MS, and (3) the system performs as expected and meets user requirements.\n\n       The audit disclosed the following:\n\n   \xe2\x80\xa2   SBA\xe2\x80\x99s Business Technology Investment Committee (BTIC) received biased and\n       misleading information on costs, benefits, and alternatives on which to base its decision\n       to select a new financial accounting system.\n\n   \xe2\x80\xa2   The JA2MS selection process was not free of inherent bias or conflicts of interest towards\n       one competing product because SBA did not require a separation of duties by contractors\n       in the system selection process, system requirements collection process and the design\n       and implementation phase of the JA2MS system.\n\n   \xe2\x80\xa2   SBA did not implement the Oracle database management system that had been\n       demonstrated and approved by the BTIC. Additionally, SBA purchased and bought\n       license updates for software modules which it has never implemented.\n\n   \xe2\x80\xa2   JA2MS was not fully accredited by the Chief Financial Officer (CFO) prior to being put\n       into production at its permanent site. Additionally, other aspects of JA2MS may not\n       allow for complete confidentiality of sensitive SBA personnel information.\n\n   \xe2\x80\xa2   JA2MS was placed into production without sufficient and complete testing of functions\n       and interfaces.\n\n   \xe2\x80\xa2   JA2MS has not fully met JFMIP requirements, even though Oracle Federal Financials is\n       certified as being JFMIP compliant. Additionally, JA2MS does not meet a number of\n       major system requirements including many of the aspects of an Enterprise Resource\n       Planning (ERP) system.\n\n\n\n\n                                              i\n\x0c       We made recommendations to the Chief Operating Officer (COO) to:\n\n   \xe2\x80\xa2   Separate system recommendation activities from system design and implementation\n       activities to ensure that the same entity does not perform duties with conflicting roles and\n       responsibilities.\n\n       We made recommendations to the Chief Information Officer (CIO) to:\n\n   \xe2\x80\xa2   Require that in the future, entities that prepare business case or cost benefit analysis\n       documentation report directly to the CIO rather than the SBA sponsoring office.\n   \xe2\x80\xa2   Create a quality control process to validate the estimations and projections in business\n       case or cost benefit analysis.\n   \xe2\x80\xa2   Update the SBA Systems Development Manual (SDM) to add emphasis that business\n       case or cost benefit analysis must fully and fairly evaluate all competing alternatives, are\n       written in a neutral manner so as not to unduly influence the BTIC, and contain cost and\n       benefit estimations which are realistically and conservatively estimated and determined.\n\n       We made recommendations to the Chief Financial Officer to:\n\n   \xe2\x80\xa2   Review the JA2MS procurement contract to determine if annual license fees for software\n       purchased but not currently implemented can be suspended until the software is actually\n       implemented.\n   \xe2\x80\xa2   Seek monetary recovery from World Wide Technology, Inc., or an in-kind contribution\n       of additional Oracle Discoverer licenses to compensate for the unusable Financial\n       Analyzer software.\n\n\n        The Chief Financial Officer and Acting Chief Information Officer provided a joint\nresponse to the draft report. The Chief Operating Officer did not provide a response to the draft\nreport as the position is currently vacant. Recommendations to the Chief Operating Officer will\nbe resolved during the audit resolution process. Management agreed or partially agreed to all but\nthree recommendations in the draft report. We subsequently modified two of our\nrecommendations and dropped one recommendation to address management\xe2\x80\x99s concerns.\n\n\n\n\n                                               ii\n\x0c                                  INTRODUCTION\n\nA. Background\n\n       For a number of years, SBA utilized American Management Systems\xe2\x80\x99 (AMS)\nFederal Financial System (FFS) to provide administrative accounting capabilities. FFS\nperformed this through several subsystems and system interfaces including budget,\ngeneral ledger, NFC payroll interface, automated disbursements, accounts payable,\naccounts receivable, and travel.\n\n        The Department of Treasury (Treasury) Financial Management Service (FMS)\noperated FFS through a cross-servicing agreement with SBA and was responsible for\nmaintaining the related software and hardware in Hyattsville, Maryland. In 1997,\nTreasury informed SBA that the Hyattsville data center would cease operations sometime\nin the future. By 1999, SBA began to explore alternatives to FFS as part of its Systems\nModernization Initiative (SMI). In June 2000, Treasury informed SBA that FMS would\ncease its data center operations in September 2002.\n\n        As part of SMI, SBA began the Joint Accounting and Administrative\nManagement System (JA2MS) initiative. JA2MS would be a Commercial-Off-The-Shelf\n(COTS) product to replace FFS. SBA further decided that JA2MS would integrate SBA\xe2\x80\x99s\nbusiness units through Enterprise Resource Planning1 (ERP) software. ERP was\nenvisioned to control finance, procurement, and human resource functions. JA2MS\nwould be developed in three phases: (I) implement a financial accounting system to\nreplace FFS, (II) integrate procurement and grants, travel, and human resource functions,\nand (III) implement a data warehouse capability. The JA2MS project was estimated to\ncost $6.4 million when all three phases were fully implemented in FY 2002.\n\n      The JA2MS development project was approved using Clinger-Cohen guidelines\nand SBA\xe2\x80\x99s Business Technology Investment Council (BTIC).\n\n       SBA hired SRA International (the Contractor) in 1999 to analyze SBA\xe2\x80\x99s current\nfinancial accounting capabilities and requirements, recommend a replacement system\nthrough a business case or cost and benefits analysis, and implement the system.\n\n        The Contractor presented a business case (e.g. cost benefits analysis) that\ndocumented the results of comparing four alternatives to the current FFS system. The\nfour alternative packages analyzed were from Oracle Corporation, AMS, PeopleSoft and\nSAP. Oracle was rated highest and recommended as the COTS/ERP solution for JA2MS\ndevelopment. The recommendation to implement Oracle and outsource the hosting and\nmaintenance was approved by SBA, and documented in the System Acquisition Decision\nPaper on June 26, 2000. The JA2MS business case provided analyses based upon all\nthree phases of JA2MS being developed and implemented in the three-year projected time\nframe.\n\n1\n  An integrated information system that serves all departments within an enterprise.\nEvolving out of the manufacturing industry, ERP implies the use of packaged software\nrather than proprietary software written by or for one customer. (Source:\nTechEncyclopedia).\n\x0c       SBA purchased Oracle Federal Financials from World Wide Technology, Inc. (a\nsmall disadvantaged business and a value-added reseller) off a GSA Multiple Award\nSchedule. SBA policies require the agency to contract with small disadvantaged business\nwhenever practicable. SBA could have purchased the software directly from Oracle\nCorporation for $60,728 less; however it chose to purchase from World Wide\nTechnology, Inc. to show its support for small business.\n\n       SBA implemented JA2MS on October 1, 2001. However, due to the cost issues\nfor implementing Phase I, which have exceeded the entire budget for full JA2MS\nimplementation, Phases II and III have been put on hold.\n\nB. Objectives and Scope\n\n        The objectives of the audit were to determine whether: (1) the selection\nmethodology and the supporting documentation indicated that the system selected would\ndeliver the most functionality for the least cost, (2) there were adequate management\ncontrols over the process of acquiring and implementing JA2MS, and (3) the system\nperforms as expected and meets user requirements.\n\n       Fieldwork was performed in the Denver Finance Center and SBA Headquarters in\nWashington, DC, from September 2001 to September 2002. Fieldwork included review\nof documents, analytical procedures, and interviews with management, project staff and\nJA2MS users in different program offices. The audit was conducted in accordance with\nGovernment Audit Standards.\n\x0c                                 RESULTS OF AUDIT\n\nFINDING 1 The BTIC Received Biased and Misleading Information for Selecting a\n          Financial Accounting System\n\n        SBA\xe2\x80\x99s BTIC received biased and misleading information on costs, benefits, and\nalternatives on which to base its decision to select a new financial accounting system.\nThis biased and misleading information included: (1) an SBA statement of work which\nreflected a predetermination to select a COTS/ERP software solution, (2) a JA2MS\nbusiness case with wording which was heavily weighted towards emphasizing an ERP\nsolution, (3) estimated benefits totaling $7.89 million for four years in the business case\nwhich have not materialized, and (4) cost projections which were under estimated by $7.7\nmillion through FY 2002. This occurred because SBA had biased the business case\nanalysis by emphasizing the need for an ERP. Additionally, there was no quality control\nprocesses over the documentation and project cost and benefit information the BTIC\nreceived and reviewed. As a result, the selection of a new financial accounting system\nwas basically flawed because the outcome was pre-determined by the inherent bias and\ninaccurate supporting documents the BTIC received.\n\n       The Clinger-Cohen Act requires agencies to improve their acquisition of\ninformation technology by implementing efficient and effective capital planning\nprocesses for selecting, managing, and evaluating the results of all of its major\ninvestments in IT systems.\n\n       The three facets of capital planning are:\n\n       \xe2\x80\xa2   Selection \xe2\x80\x93 Select the IT projects that will best support mission needs and\n           evaluate the project's costs, benefits and risks before spending significant\n           amounts of money,\n       \xe2\x80\xa2   Control \xe2\x80\x93 Ensure that the projects deliver the projected benefits in accordance\n           with the projected costs and time frames, and\n       \xe2\x80\xa2   Evaluate \xe2\x80\x93 Assess the project's impact on mission performance, modify the\n           system to achieve maximum benefits, and revise the investment review\n           process based on lessons learned.\n\n       Our review of SBA\xe2\x80\x99s attempt to utilize Clinger-Cohen capital planning\nrequirements to make an informed large-scale Information Technology investment\ndecision identified that SBA needs to revise the investment review process based upon\nlessons learned from JA2MS.\n\na. The SBA Statement of Work Reflected a Predetermination to Select a\n   COTS/ERP Product\n\n         The SBA Office of Chief Information Officer (OCIO) issued a Statement of Work\nfor JA2MS in September 1999 which directed the Contractor to recommend a COTS/ERP\nproduct. This occurred because SBA had predetermined the result which it desired. As a\nresult, the business case or cost and benefits analysis was irrelevant to true system\n\x0cselection, but was used as an aid in influencing the BTIC and providing justification to\nOMB.\n\n       According to SBA\xe2\x80\x99s Systems Development Methodology, a cost and benefits\nanalysis is to be performed on each competing alternative. The current system, proposed\nsystem, and each alternative system identified are described and their associated benefits\nand costs determined. These benefits and costs include developmental as well as\noperational (both one-time and recurring) costs.\n\n       The SBA Statement of Work contained the following wording:\n\n               The last decade has seen a remarkable evolution of Commercial-Off-The-\n               Shelf (COTS) applications that automate the wide variety of business roles\n               and activities inherent in an enterprise like SBA. Such systems are called\n               Enterprise Resource Planning Systems (ERP)\xe2\x80\xa6The goal \xe2\x80\x93 particularly for\n               the SBA who struggles to quickly balance the Agency\xe2\x80\x99s books \xe2\x80\x93 is to\n               enable SBA\xe2\x80\x99s business units to operate in a totally integrated fashion.\n               COTS/ERP software modules control finance, procurement, and human\n               resource functions\xe2\x80\xa6A COTS/ERP product will be recommended for\n               selection at the end of phase I.\n\n               The specific objective of this Task Order is to build a well-documented\n               \xe2\x80\x9cBusiness Case\xe2\x80\x9d for the [JA2MS], from the point of view of the business\n               areas in Human Resources, Procurement, the CFO and the CIO. The\n               business case will document the business and technical need for the\n               COTS/ERP product based on the SBA\xe2\x80\x99s primary functional requirements\n               and will document the product evaluation methodology and approach used\n               to arrive at the final COTS/ERP product. Substantive analyses on research\n               and evaluation methods, alternatives, cost/benefits, etc., will also be\n               included in the business case. The final recommendation in the business\n               case will detail the strengths of the selected product and the anticipated\n               outcomes of implementation.\n\n        It is clear from the Statement of Work that SBA did not ever desire that a valid\ncost and benefits analysis be performed on all competing alternatives including the\nexisting system. From the beginning of the project, the contractor was expected to\npresent results for a COTS/ERP.\n\nb. Wording of the Business Case and System Decision Paper Emphasized the Need\n   for an Enterprise Resource Planning System\n\n       The JA2MS Decision Paper and Business Case emphasized that SBA needed a\nCOTS/ERP system to replace SBA\xe2\x80\x99s present financial accounting system. The wording\nfrom these two documents was heavily weighted towards emphasizing the need for an\nERP. As a result, the JA2MS Business Case and resulting Decision Paper identified an\nincorrect picture of what benefits an ERP would generate for SBA if the recommended\npackage was developed as SBA\xe2\x80\x99s new accounting and financial management package.\n\x0c        The following were the benefits identified in SBA\xe2\x80\x99s Business Case if an ERP was\nselected:\n\n              ERP Benefits \xe2\x80\x93 The implementation of an ERP would make SBA\n              compliant with JFMIP requirements and give the organization a modern\n              back-office infrastructure. This infrastructure is important to the SBA, as\n              it provides the foundation for other systems modernization\n              initiatives\xe2\x80\xa6Additionally, an ERP infrastructure will allow SBA to fully\n              participate in e-commerce and customer relationship management\n              activities \xe2\x80\x93 requirements for the SBA to realize its vision of becoming a\n              leading-edge 21st century institution. It should be noted that while an\n              ERP is integrated, no ERP solution offered 100% integration. Oracle will\n              still need to integrate travel and contracts management. But this amount\n              of integration is a significant improvement over the current baseline\n              system.\n\n       In contrast, the wording in SBA\xe2\x80\x99s Business Case for keeping SBA\xe2\x80\x99s present\nfinancial and accounting system, upgrading that system and moving it to a different\ncross-service provider was:\n\n              Remaining with FFS dictates that SBA continue business as usual \xe2\x80\x93\n              paper-intensive processes, duplicative efforts, errors in data entry and\n              computations, delayed responses, minimal risk management and internal\n              controls, and the inability to satisfy numerous regulatory authorities.\n              Through extensive benchmarking analysis, the [Contractor] revealed that\n              SBA productivity was hampered by inefficient manual processes and\n              redundant tasks. The time dedicated to operational and administrative\n              support is at the expense of higher-level management functions such as\n              decision support, investment, and risk management. Remaining with FFS\n              is a low-risk, low-improvement approach that will not address SBA\xe2\x80\x99s core\n              problems and inefficiencies.\n\n       The JA2MS Decision Paper documented SBA\xe2\x80\x99s approval for the JA2MS project\nand the selection of Oracle Federal Financials. The JA2MS Decision Paper identified the\nfollowing:\n\n              The business owners desired a fully integrated system solution for\n              addressing operational gaps in performing human resource, procurement,\n              and financial management functions. The requirements for successfully\n              performing integrated human resource, procurement, and financial\n              management have changed dramatically. However, SBA\xe2\x80\x99s information\n              systems have not been modernized to support JFMIP requirements.\n\n              The Contractor was hired to analyze the Agency\xe2\x80\x99s needs, define technical\n              requirements, and evaluate integrated commercial-off-the-shelf enterprise\n\x0c                    resource planning products. The business case evaluated the baseline\n                    system against the JFMIP approved list of three products.\n\n                    Remaining with the current system with a new cross-service provider\n                    would cost SBA $6.3 million over six years. Whereas implementing the\n                    recommended solution would cost SBA $11.1 million over the same six\n                    years.\n\n                    The recommendation of the JA2MS working group was Oracle Federal\n                    Financials. The recommendation identified that implementing an ERP\n                    requires the sacrifice of near-term objectives for long-term gain.\n\n       The JA2MS decision was ultimately based upon the belief that SBA would attain\nthe benefits identified in the business case. The current CFO indicated that none of the\nprojected benefits have been realized. (See finding 1.c.)\n\nc. Benefits of an ERP were Overstated\n\n       The SBA JA2MS Business Case overstated the projected benefits of implementing\nan ERP system. This occurred because there were no validity controls over the benefit\nestimation process to ensure that calculated benefits were realistic and possible when the\nnew system was implemented. As a result, the projected benefits have not been realized\nand the underlying reasons for selecting an ERP system have not been attained.\n\n        The JA2MS Business Case provided an estimation of the benefits of three\nalternatives under consideration. For both ERP system alternatives, the benefits were\nestimated at $1,517,000 in FY 2002 and $2,127,000 per year thereafter. Increased\nefficiencies in the areas of Finance, Human Resources, Procurement, and Information\nTechnologies would result in cost avoidance and dollar savings. SBA\xe2\x80\x99s current costs in\nthese areas were compared to the lower costs of similar sized highly efficient businesses\nand government agencies. The projected benefits are summarized in Table 1.\n\n                                                         Table 1\n                                             ERP Solution Benefits ($000)\n\n                                          FY02               FY03           FY04           FY05\n Finance                                          430                860            860            860\n Reduction in interest payments                    20                 40             40             40\n Efficiencies in transaction processing           275                550            550            550\n Budgeting                                         84                168            168            168\n GL maintenance                                    24                 48             48             48\n Other financial processes                         28                 55             55             55\n\n HR                                               121                241            241            241\n Admin & Risk Mgmt                                 83                165            165            165\n Employee Staffing & Selection                     38                 76             76             76\n\n Procurement                                       60                120            120            120\n Requisition & PO Processing                       38                 75             75             75\n Problem Resolution                                23                 45             45             45\n\n IT                                                906                906            906            906\n Treasury-FFS                                      900                900            900            900\n SACONS                                              6                  6              6              6\n                                  Total          1,517              2,127          2,127          2,127\n\x0c        Ultimately the benefits projected for the alternative that SBA selected, i.e., the\nERP solution with outsourced maintenance, had no real support. The benefits were based\non the premise that implementing the Oracle system would make SBA more efficient in\nthe processing of its administrative expenses as compared to businesses and government\nagencies of its size (based on benchmarking results). The benefits, which were expected\nto reach $2.1 million in FY 2003 and total $7.89 million for four years were based on a\npercentage reduction in costs, but there was no clear description of how these cost\nreductions would be attained or how increased efficiencies would be achieved. Post-\nimplementation feedback from the current Chief Financial Officer indicates that none of\nthe estimated benefits have been attained since the system went into production.\n\nd. Costs of an ERP System were Understated\n\n        The SBA JA2MS Business Case significantly underestimated costs to develop an\nERP system, costs for system integration, as well as yearly costs to maintain the system.\nThis occurred because there were no validity controls over the cost estimation process to\nensure that the projected costs of the alternative systems were reasonable and realistic.\nAs a result, the costs to develop the initial phase of the JA2MS system have been more\nthan the entire projected costs of all three development phases.\n\n        As of June 2002, SBA spent $14 million to develop and maintain JA2MS. The\nbusiness case estimated that SBA would have spent $6.4 million through FY 2002 and\nwould have achieved significantly more functionality than what the previous system had\ndelivered. As a result, JA2MS has been a more expensive system to build and maintain\nthan estimated in the business case. A comparison of planned to actual costs is presented\nin Table 2.\n\n                                         Table 2\n                                   JA2MS Cost Variances\n                     Fiscal Year     Projected    Actual Costs   Difference\n                                       Costs\n                    1998                     $0      $ 232,677    $ 232,677\n                    1999                     $0      $ 964,704     $ 964,704\n                    2000            $ 1,190,000    $ 6,046,051   $ 4,856,051\n                    2001            $ 3,137,000    $ 4,417,785   $ 1,280,785\n                    2002            $ 2,036,000    $ 2,424,497     $ 388,497\n                    Totals          $ 6,363,000   $ 14,085,704   $ 7,722,704\n\n\n\n       As can be seen from the table, SBA did not include costs incurred prior to FY\n2000 in its cost projection, making the system appear less costly. Additionally, SBA\nunderestimated the costs to maintain JA2MS. Maintenance includes training employees,\nApplication Service Provider fees, consultant fees and annual licensing fees. The\nbusiness case estimated annual maintenance costs at $1.6 million annually. Actual\nmaintenance costs are approximately $2.7 million per year.\n\n\nRecommendations:\n\x0c       We recommend that the Chief Information Officer:\n\n1A.    Revise the Investment Technology Investment Manual (ITIM) to ensure that in\n       future large scale system development projects:\n       \xe2\x80\xa2 The contractor or Government entity that prepares the business case or cost\n           benefits analysis works directly for the CIO or a CIO designee rather than the\n           SBA sponsoring office,\n       \xe2\x80\xa2 A quality control process is created whereby a second entity not associated\n           with the originator of the business case or cost benefit analysis validates the\n           estimations that are used to ensure accuracy of the projections and estimates.\n\n1B.    Update the Systems Development Manual to mandate that in future large scale\n       system development projects:\n       \xe2\x80\xa2 Contractor Statements of Work for the business case or cost benefits analysis\n           emphasize the need to fully and fairly evaluate all competing alternatives,\n       \xe2\x80\xa2 The narrative descriptions of the business case or cost benefits analysis are\n           prepared with wording and factual representations as neutral as possible so as\n           not to unduly bias the BTIC when making IT investment decisions,\n       \xe2\x80\xa2 The business case or cost benefits analysis contains only valid and supportable\n           numerical projections of costs and benefits which are realistically and\n           conservatively estimated and determined, and\n       \xe2\x80\xa2 SBA project management use Earned Value Management methods for all\n           major IT investments.\n\nManagement Response:\n\n        SBA disagreed with recommendation 1A as originally written (that the Chief\nOperating Officer oversee cost-benefit analysis or business case preparation). SBA noted\nthat the Clinger-Cohen Act assigns the CIO responsibility to provide advice to the\nAgency head and senior managers to ensure that IT resources are acquired and managed\nin accordance with the Act\xe2\x80\x99s provisions and in line with Agency priorities.\n\n       SBA partially agreed with recommendation 1B. SBA suggested that the\nrecommendation be bolstered by requiring that Earned Value Management methods be\napplied to all major IT investments so that planned versus actual cost, schedule and\nperformance information is reported to SBA project managers. Earned value is a\nmanagement technique that relates resource planning to schedules and to technical cost\nand schedule requirements.\n\nAssessment of Management\xe2\x80\x99s Response:\n\n       Management\xe2\x80\x99s comments are responsive to the recommendations. We modified\nrecommendation 1A to require that the CIO rather than the COO oversee cost-benefit and\nbusiness case preparation. We also modified recommendation 1B to require Earned\nValue Management methods be applied to all major IT investments.\n\x0cFINDING 2 Conflicts of Interest in Selection and Implementation of a Financial\n          Accounting System\n\n        The JA2MS selection process was not totally free of inherent bias or conflicts of\ninterest towards one competing product. This occurred because SBA did not require a\nseparation of duties by contractors in the system selection process, system requirements\ncollection process and implementation phase of the JA2MS system. As a result, the\nsystem selected has been more expensive than competing alternatives and the benefits\nthat were supposed to exist in the new system have not materialized.\n\n        The Federal Acquisition Regulation (FAR) addresses Organizational and\nConsultant conflicts of interest in Subpart 9.5. The underlying objectives are to prevent\nthe existence of conflicting roles that might bias a contractor\xe2\x80\x99s judgment, and therefore\nprevent an unfair competitive advantage. The applicable rule in FAR is subpart 9.505-2\nwhich specifies that if a contractor provides material leading directly, predictably, and\nwithout delay to a work statement, that contractor may not supply the system, major\ncomponents of the system, or the system services.\n\n        While the contractor did not write a statement of work, the contractor was\nengaged in conflicting roles. By writing a business case and other materials leading\ndirectly and predictably to one of the competing alternatives, the contractor was able to\nrecommend a system which may have maximized the contractor\xe2\x80\x99s involvement as\ncompared to other alternatives which the contractor may have had less development and\nimplementation work to perform.\n\na. JA2MS Implementation Plan Written Prior to the JA2MS Business Case\n\n        An initial JA2MS implementation plan was written in March 2000, prior to the\nJA MS business case (April 2000). This initial JA2MS implementation plan identified\n  2\n\nthat the software to be implemented would be Oracle Federal Financials. The JA2MS\nimplementation plan also included a description of implementation methodology for the\nsoftware, a work plan and a staffing schedule. After the initial JA2MS implementation\nplan, SBA had the same contractor write the JA2MS business case. The business case\nrecommended that SBA implement Oracle Federal Financials after a review of the\ncompeting alternatives. As a result, the Contractor performed inherently conflicting roles\nin assessing the costs and benefits of the competing software products while having\nalready planned for software implementation with one of the competing products.\n\n        According to SBA\xe2\x80\x99s Information Technology Investment Management (ITIM)\nGuide, a business case is to be developed once a potential need for a new system is\ndetermined. Additionally, SBA\xe2\x80\x99s Systems Development Methodology requires a cost\nbenefit analysis be performed on each competing alternative. The current system,\nproposed system, and each alternative system identified should be described and their\nassociated benefits and costs determined. These benefits and costs include\ndevelopmental as well as operational (both one-time and recurring) costs.\n\n       The business case is required by OMB and recommended by GAO for making\ninformation technology decisions as a part of Clinger-Cohen guidelines. Therefore, the\nbusiness case should be performed by an organization that has no obvious or potential\n\x0cinherent conflicts of interest. Since the business case makes projections as to future costs\nand benefits of a new system, compares the competing alternatives, and makes\nrecommendations as to which alternative to select; it must be a totally objective\ndocument. Additionally, the organization that develops the business case must not have a\nfinancial stake in the outcome of the selection process. The ultimate selection of Oracle\nindicated that the contractor would be given further work in requirements collection and\nsystem implementation. Had a competing product been selected, this may have meant\nreduced work for the contractor, but a much lower ultimate system implementation and\noperational cost to SBA.\n\nb. The same Contractor Collected System Requirements Documentation and\n   Developed the System\n\n        System requirements documentation and systems development were performed by\nthe same contractor. While these functions are not necessarily mutually exclusive, the\ncontractor could have written system requirements in such a way as to bias the\nrequirements to a certain product or software suite. Since this same contractor also wrote\nthe JA2MS business case and had previously written a preliminary implementation plan\nfor a particular product, this, therefore created a conflict of interest since the contractor\nhad the ability to document requirements in a manner which would ultimately\nrecommend a particular software solution. As a result, system requirements were\nultimately biased towards one competing product which was ultimately selected.\n\n       While there are no laws or regulations which would prohibit the same contractor\nfrom collecting system requirements and designing and developing the system, such\nfunctions should be separated as the duties are quite different from each other. Generally,\nto avoid potential conflicts of interest and to ensure that system requirements and system\ndesign and development are performed by the contractor with the greatest expertise in\neach area, a separation should occur in these two vital areas.\n\nRecommendations:\n\n       We recommend that the Chief Operating Officer:\n\n2A.    Ensure that for future systems developments efforts, SBA comply with Federal\n       Acquisition Regulations regarding separation of contractor duties. Specifically,\n       SBA should separate system selection activities such as preparation of a business\n       case or cost and benefits analysis from development activities such as collection\n       of system requirements, and system design and implementation.\n\n2B.    Revise the Information Technology Investment Manual (ITIM) to ensure that the\n       same contractor is not used for system recommendation activities (including\n       preparation of a business case) and system design and implementation activities.\n\nManagement Response:\n\n        SBA partially agreed with recommendation 2A. SBA agreed that separation of\nduties should be enforced under most circumstances. However, SBA disagreed that\nsystem requirements collection should be separated from system design and\n\x0cdevelopment, citing additional costs and the developer\xe2\x80\x99s need to verify requirements to\nensure system functionality.\n\n         SBA partially agreed with recommendation 2B. SBA noted that the contract\nmade with the developer to analyze SBA\xe2\x80\x99s financial accounting capabilities and\nrecommend a replacement system was separate and distinct from the contract made with\nthe same developer (through FEDSIM) to implement the system. SBA further noted that\nthere was no guarantee that the developer would receive any contract award subsequent\nto its completion of a business case.\n\nAssessment of Management\xe2\x80\x99s Response:\n\n        Management\xe2\x80\x99s comments are responsive to the recommendations. We modified\nrecommendation 2A to allow system requirements to be collected by the same entity that\ndesigns and develops the system. We did not modify recommendation 2B because\nregardless of the number of contracts awarded, system recommendation and selection\nactivities should not be performed by the same contractor who is designing and\nimplementing the systems.\n\x0cFINDING 3 Demonstrated JA2MS Database and all Software Purchased not\n          Implemented\n\n       As a part of JA2MS, SBA did not implement the Oracle database management\nsystem that had been demonstrated and approved by the BTIC. Additionally, SBA\npurchased and bought license updates for software modules which it has never\nimplemented. As a result, SBA has not achieved the functionality of the demonstrated\nsystem and has utilized a version of the system that is obsolete and unsupported by the\nvendor.\n\na. Planned Database and Application Release Not Implemented\n\n       The original documentation for purchasing and implementing JA2MS was for\nOracle Applications release 11i and Oracle relational database version 8i as SBA\xe2\x80\x99s\nfinancial management system. However, SBA implemented Application release 11.0.3\nand Oracle database version 8.0.5. According to SBA, this occurred because Oracle\nApplications Release 11i was not available during implementation and the database\nversion 8i was not compatible with Application Release 11.0.3. As a result, SBA\nimplemented an unsupported version of the Oracle database without a formal and\ndocumented assessment of the risks and potential adverse impacts on system\ndevelopment.\n\n       According to Federal Acquisition Regulation 46.501, acceptance constitutes\nacknowledgement that the supplies or services conform with applicable contract quality\nand quantity requirements.\n\n        Oracle Application Release 11.0.3 and database version 8.0.5 are older versions\nof Oracle Federal Financials and not the versions that were demonstrated, evaluated, and\nrecommended for implementation. Additionally, this modification was not recorded in\nSBA change management procedures, nor reported to the BTIC. SBA\xe2\x80\x99s SDM requires\nthat project management report changes to a Change Control Board (CCB) for approval\nand that procedures be established to ensure that changes are accomplished in an\norganized manner with absolute traceability and accountability. In actuality, the database\nversion 8.0.5 was no longer supported by Oracle at the time of implementation, and\ntherefore Oracle would no longer correct deficiencies in that software and make updates\nand patches available.\n\n       Documentation from Oracle identifies that the Oracle database 8i can be used\nwith the 11.0.3 applications software if the UNIX server is properly partitioned.\n\n        SBA management has recently issued a solicitation for a new ASP/Cross service\nprovider that will upgrade the software to 11i and host a stable and cost effective\noperational environment. The new contract will be for a base year with four optional\nyearly renewals.\n\nb. Other Oracle Software Purchased and Not Implemented\n\n       SBA purchased Oracle software components totaling $523,083 in FY 2000 which\nhave not been utilized. This partially occurred because SBA has halted further JA2MS\n\x0cimplementation due to cost issues from implementing Phase I (the financial system). As\na result, SBA does not utilize over 33 percent of the dollar value of the software\npurchased. Additionally, SBA spent an additional $65,061 for year 2002 license updates\nfor these unused software programs.\n\n       Table 3 summarizes the costs of the unused software components that SBA has\nincurred since 2000.\n\n                                         Table 3\n                       JA2MS Software Purchased and Not Implemented\n                                    2001 License                 Totals 2001 &\n             Program                 &Updates      2002 Update       2002\n             Warehouse Builder           $23,172        $4,490        $27,662\n             Express Server              $73,966       $14,331        $88,297\n             Financials and Sales\n             Analyzer                    $84,037        $9,739        $93,776\n             Human Resources            $191,360       $17,262       $208,622\n             Advanced Benefits           $90,052       $11,508       $101,560\n             HR Intelligence             $56,283        $7,192        $63,475\n             Training\n             Administration               $4,216         $539           $4,755\n\n\n             Totals                     $523,086       $65,061       $588,147\n\n        The Oracle components that are not utilized include: Warehouse Builder, Express\nServer, Human Resources (HR), HR Intelligence, HR Training Administration and\nFinancial and Sales Analyzer.\n\nRecommendations:\n\n       We recommend that the Chief Information Officer:\n\n3A.    Inform the BTIC when large-scale development projects need to be materially\n       altered during development.\n\n3B.    Perform a second-party review and analysis of proposed changes to large-scale\n       development projects when those changes would materially affect the system\n       under development.\n\n3C.    Ensure full and proper configuration management and change control in future\n       large-scale development efforts.\n\n\n\n\n       We recommend that the Chief Financial Officer:\n\x0c3D.    Review the JA2MS procurement contract to determine if annual license fees for\n       software purchased but not currently implemented (equaling $65,061 in FY 2002)\n       can be suspended until the software is actually implemented.\n\nManagement Response:\n\n        SBA agreed with the recommendations. For recommendation 3D, SBA considers\nthe issue a contracting and legal issue and will refer it to SBA\xe2\x80\x99s Office of Procurement\nand Grants Management and the Office of General Counsel for resolution.\n\nAssessment of Management\xe2\x80\x99s Response:\n\n       Management\xe2\x80\x99s comments are responsive to the recommendations.\n\x0cFinding 4 JA2MS System Security does Not Fully protect SBA\n\n        JA2MS was not fully accredited prior to being put into production. Additionally,\nother aspects of JA2MS may not allow for complete confidentiality of sensitive SBA\npersonnel information. These security issues are part programmatic, part structural and\npart issues with the Oracle software. As a result, the JA2MS system is not fully secure\nand potential breaches of security could occur and go undetected.\n\na. JA2MS was Not Timely Authorized to Process Information\n\n         SBA initially conducted an interim Certification and Accreditation (C&A) review\nprior to putting JA2MS into production at a temporary application service provider (ASP)\nin October 2001. However, this was a conditional C&A and was supposedly valid for\nonly 180 days or until the system was transferred to the permanent ASP. A full C&A\nwas not finalized prior to placing the system into production at the permanent site. As a\nresult, the JA2MS system operated without a valid accreditation for almost one year and\nthe vulnerabilities and their associated remedial actions were not known and\ncorresponding corrective actions not timely undertaken for that time frame.\n\n       OMB Circular A-130, Appendix III requires that computer systems be certified\nand accredited before being put into production. Additionally, the C&A process\nmandates that a security plan and a risk assessment are performed before the system is\nimplemented.\n\n        The C&A was finalized for JA2MS at the permanent ASP almost one year after\nthe system was transferred to the permanent site. Overall risk exposure was rated as\nhigh, and recommendations were made for changes that, if implemented, would reduce\noverall system risks to low. Some of the risks identified were exactly the same risks as\nwhen JA2MS was operated at the interim ASP. The continuing existence of these risks\nindicates that sufficient attention has not been paid to JA2MS security.\n\nb. [ FOIA Exemption 2]\n\x0cc. System Audit Trails and Logging are Not Enabled\n\n       Audit trails and logging are not enabled in the JA2MS system environment.\nAccording to OCFO this is because the system slows down considerably beyond what is\nreasonable when audit trails are enabled. However, from discussions with OCFO and\nOCIO, we believe that this is due to not choosing to log and audit only those security\nrelevant events and items that should be necessary to identify if a perpetrator is trying to\nmis-use the system or enter potentially fraudulent transactions.\n\n      According to the JFMIP framework, financial management systems in the federal\ngovernment must be designed to provide a complete audit trail to facilitate audits.\n\n        Audit trails are a necessary security component because they provide records of\naccess and changes to system records, and are a mechanism to ensure user accountability.\nWithout an adequate system of audit trails, sufficient information is not gathered to\nperform investigations of security incidents and for ongoing monitoring of user activities.\nThis issue was previously made known to SBA in an OIG memorandum on October 9,\n2001. The SBA CIO and CFO responded to OIG that audit trails would be enabled for\nJA2MS in the 2nd quarter of FY 2002. However, as of December 15, 2002, audit trails\nhave yet to be implemented in JA2MS.\n\nRecommendations:\n\n       We recommend that the Chief Information Officer:\n\n4A.    Complete Certification and Accreditation reviews prior to placing new SBA\n       major applications and general support systems into production.\n\n       We recommend that the Chief Information Officer in conjunction with the Chief\nFinancial Officer:\n\n4B.    Work with the vendor for Oracle Federal Financials to create an alternate\n       identifier for SBA personnel to ensure that employee SSN\xe2\x80\x99s are not visible or\n       accessible to users.\n\n4C.  Determine what actions and events to audit and enable the JA2MS audit trails for\n     those actions and events.\nManagement Response:\n\n       SBA agreed with the recommendations. SBA noted that recommendation 4C has\nalready been implemented.\n\nAssessment of Management\xe2\x80\x99s Response:\n\n       Management\xe2\x80\x99s comments are responsive to the recommendations.\n\x0cFinding 5 System Testing Prior to Implementation was Not Adequate\n\n        JA2MS was placed into production without sufficient and complete testing of\nfunctions and interfaces. This occurred because SBA was committed to placing JA2MS\ninto production on its scheduled implementation date. As a result, processing errors and\nuser confusion prevented JA2MS from operating as intended. Additionally, some of these\nproblems could have been mitigated by running JA2MS in parallel with FFS.\n\na. Some JA2MS System Components Failed Testing of Functions and Interfaces\n\n         JA2MS System testing was not completed successfully prior to system\nimplementation. There was evidence that many tests failed while others were not\nperformed at all. However, SBA was committed to implement JA2MS by October 1,\n2001 and allowed the system to be placed into production with errors and defects. As a\nresult, users experienced errors and considered the system unreliable.\n\n        The SBA System Development Methodology (SDM) requires successful testing\nof the complete system, including all the functions and all the logic paths of each\nsoftware module.\n\n        Several interfaces were not completed by the system activation date, however, the\nsystem was placed into production and the contractor continued working to complete the\ninterfaces. The interfaces that were not fully complete and tested were:\n\n            \xe2\x80\xa2   Bank of America,\n            \xe2\x80\xa2   Federal Express, and\n            \xe2\x80\xa2   USDA National Finance Center Payroll.\n\n         Additionally, the year-end closing process had not been tested. The Bank of\nAmerica and Federal Express interfaces caused problems to users early in system\nproduction and the first Year-end close (October 2002) took over a week to accomplish.\nThese problems might have been avoided had the system been fully tested prior to putting\nit into production.\n\nb. An Independent Verification and Validation was Not performed\n\n        There was no Independent Verification and Validation (IV&V) or project audit\nfor JA MS. This occurred because of SBA\xe2\x80\x99s insistence on implementing JA2MS by its\n      2\n\nplanned implementation date. Additionally, the costs of implementing JA2MS exceeded\nits planned budget. As a result, the JA2MS system experienced major problems early on,\nsome of which remain uncorrected, and can be partially attributed to the lack of an\nIV&V.\n\n        The SBA SDM requires the independent verification and validation of software\ntesting results by a third party.\n\n        SBA\xe2\x80\x99s Quality Assurance policy for IT projects specifies that independent and\nobjective verification of project results be performed. An independent reviewer is more\nlikely to be impartial than a reviewer or a contractor with a vested interest in the project.\n\x0cRecommendation:\n\n      We recommend that the Chief Information Officer:\n\n5A.   Ensure that newly developed large-scale major applications and general support\n      systems are fully tested before implementation and that an Independent\n      Verification and Validation review is performed after system testing but prior to\n      placing system into production.\n\nManagement Response:\n\n      SBA agreed with the recommendation.\n\nAssessment of Management\xe2\x80\x99s Response:\n\n      Management\xe2\x80\x99s comment is responsive to the recommendation.\n\x0cFinding 6: JA2MS is Not Fully JFMIP Compliant and does Not Meet System\n           Requirements\n\n       JA2MS does not fully meet JFMIP requirements, even though Oracle Federal\nFinancials is certified as being JFMIP compliant. Additionally, JA2MS does not meet a\nnumber of major system requirements including many of the aspects of an ERP. This has\nnegated many of the initial reasons that JA2MS was selected to be SBA\xe2\x80\x99s financial\nsystem. As a result, SBA has a system that does not meet its requirements, nor perform\nas expected.\n\n      According to the JFMIP framework, financial management systems in the federal\ngovernment must be designed to:\n\n         \xe2\x80\xa2       Collect accurate, timely, complete, reliable, and consistent information;\n         \xe2\x80\xa2       Provide for adequate agency management reporting;\n         \xe2\x80\xa2       Facilitate the preparation of financial statements, and other financial reports in\n                 accordance with federal accounting and reporting standards; and\n         \xe2\x80\xa2       Provide information to central agencies for budgeting, analysis, and government-\n                 wide reporting, including Consolidated Financial Statements.\n\na.               A JA2MS Feature does Not Adequately Report the Results of Financial\n                 Operations\n\n       SBA purchased a financial reporting system called \xe2\x80\x9cFinancial Analyzer\xe2\x80\x9d for\n$93,776 from World Wide Technology, Inc. Financial Analyzer proved to be unstable\nand unreliable. As a result, SBA abandoned using it for reporting purposes. However,\nwe could not determine whether SBA ever tried to gain a refund for this non-functioning\nsoftware.\n\n       A second tool for financial reporting called \xe2\x80\x9cDiscoverer\xe2\x80\x9d has been used to create\nbudgeting and other accounting reports. However, SBA users cannot produce needed\nfinancial reports on demand as there are only ten user licenses and the software is not\nweb-enabled.\n\nb.               JA2MS Automatically Initiated a Number of Duplicate Payments\n\n       During FY 2002 four duplicate payments totaling over $278,000 were initiated by\n             2\nthe JA MS system. One of the recipients notified SBA and three other duplicate\npayments were then identified by the Denver Finance Center. System edits which should\nhave identified and prevented this situation did not perform as expected.\n\nc.           Certain Transactions and Vendor Identifiers Cannot be Modified in JA2MS\n\n       Requisitions and purchases which have been approved cannot be modified in\n     2\nJA MS. SBA has been creating a new document with virtually the same voucher or ID\nnumber with a letter or numeral appended to the document number. For changes to\nvendor identifiers (names or addresses), a monetary amount is required to be entered with\nthe change to the vendor identifier. SBA has been adding one cent with the change to the\n\x0cvendor file. This amount will stay outstanding and need to be closed within JA2MS at the\nend of the year.\n\nd.     JA2MS does Not Always Successfully Cancel a Transaction\n\n        Purchase orders and other requisitions are not always successfully cancelled\nwithin JA2MS. When a number of transactions were cancelled, the system did not\nautomatically de-obligate funds and return the transaction to the requisition phase. SBA\npersonnel have had to research the entire general ledger within JA2MS and ensure that the\ntransaction cancellation successfully de-obligated funds. This has caused SBA offices to\nkeep track of their spending and budgeting with spreadsheets and other cuff-records.\n\ne.     Funds Verification is Slow\n\n        JA2MS does not timely verify the availability of budgeted amounts against\npotential expenditures when entering purchase orders or requisitions. The JA2MS system\nqueries all budget groups and for all time periods, not just the ones entered for\nverification. As a result, the funds verification can take from several minutes to half an\nhour to complete one transaction.\n\n        JA2MS usefulness to managing funds on a day-to-day basis is therefore deficient\nand does not measure up to providing the information necessary to operate SBA\nefficiently and effectively. Therefore, JA2MS utility is marginal at best and it has a\nnumber of functional shortcomings that make it a poor choice for today\xe2\x80\x99s financial\nmanagement needs. The software that has never been implemented should be returned\nand a refund sought from the vendor.\n\nRecommendations:\n\n       We recommend that the Chief Financial Officer:\n\n6A.    Seek monetary recovery from World Wide Technology, Inc. for $93,776, or an in-\n       kind contribution of additional Oracle Discoverer licenses to compensate for the\n       unusable Financial Analyzer software.\n\n6B.    Enable users to make dollar or non-dollar modifications to spending documents\n       without the creation of a new record.\n\n6C.    Follow-up with Oracle to ensure that JA2MS is corrected so that finally closing\n       documents result in the restoration of funds.\n\n       We recommend that the Chief Financial Officer in conjunction with the Chief\nInformation Officer:\n\n6D.    Determine if funds checking can be expedited in the current JA2MS hardware or\n       software configuration.\n\nManagement Response:\n\x0c[FOIA Exemption 5]\n\x0cAssessment of Management\xe2\x80\x99s Response:\n\n       Draft recommendation 6B was deleted from the report after we determined the\ncondition had been corrected prior to issuance of the draft report. Management\xe2\x80\x99s\ncomments are responsive to all of the other recommendations.\n\x0c\x0c\x0c\x0c\x0c\x0c\x0c"